Writing YARA rules for Livehunt
Livehunt uses an up-to-date version of YARA, which means that the latest YARA documentation is usually the place to go for a detailed description
of the language and its features. However, there are a few things that you need to know while creating YARA rules specifically tailored for Livehunt.
- Rules for which YARA raise performance warnings are not accepted by Livehunt. Such rules are usually very slow and degrade the service both for you and the rest of the users.
- You can not use include statements in your rules.
- Standard modules currently supported are: pe, elf, math, magic, hash, cuckoo, and dotnet.
The vt module
In order to expose all the information that Google Threat Intelligence have about the file being scanned we have created a custom YARA module named vt. This module contains metadata like antivirus signatures, file type, file behavior, submitter, etc. The vt module replaces the previous mechanism for exposing file's metadata based in custom variables like signatures, positives, file_name, and so on. These variables have been deprecated and you can migrate to the vt module using the legacy variables guide.
The vt module always matches the last submission, i.e. the one that generated the YARA matching event.
import "vt"
rule new_infected_pe {
condition:
vt.metadata.new_file and
vt.metadata.analysis_stats.malicious > 1 and
vt.metadata.file_type == vt.FileType.PE_EXE
}
import "vt"
rule behavior_evasion {
condition:
for any catalog in vt.behaviour.mbc: (
catalog.behavior == "Dynamic Analysis Evasion"
)
}
import "vt"
rule LilithBot {
condition:
vt.net.url.raw matches /\/gate\/.{60}\/registerBot/ or
vt.net.url.raw matches /\/gate\/.{60}\/getFile\?name=admin_settings_plugin\.json/ or
vt.net.url.raw matches /\/gate\/.{60}\/uploadFile\?name/
}
From the examples above you probably already got the idea. The vt module has a lot of information about the file or network resource being scanned, and that information can be used in your Livehunt rules for filtering unwanted files or network analyses and focusing in what you are really looking for. You are not limited to creating rules based on file content alone, there is a lot of metadata at your disposal.
The vt module is divided in three submodules that allows you to create rules that expose most of information that can be found in the platform:
- vt.metadata for file metadata
- vt.behaviour for file behaviour
- vt.net for URLs, Domains and IP addresses
Updated 17 days ago